International business groups have raised a number of concerns about the new laws, which were finalised last year, including around the law's vague provisions, and the lack of certainty over their scope and how they might be enforced. Although the law came into force on 1 June 2017, many of its provisions are sufficiently vague that without clarification it is difficult for businesses to understand their remit, at whom they are targeted, and critically how to ensure compliance.
An information audit will not resolve all those concerns, but it can help businesses comply with rules on data storage and transfers, set out in the new laws, which the Chinese authorities have confirmed will not be enforced for 19 months. Rules regarding the handling and transfer of Chinese data are likely to have the biggest initial impact on how international businesses operating in China need to re-examine their data strategy.
Experts at Pinsent Masons, the law firm behind Out-Law.com, will be hosting an event in Hong Kong on Wednesday 27 September 2017 where they will be providing an update on the China Cyber Security Law. You can register for the event here.
What does the new law say?
The new laws address a wide range of cyber and data-related issues.
The law applies to 'network operators' – a loosely defined term which covers those who own or manage networks in China, as well as those that provide network services in the country, whether they are based in China or overseas. The term is currently worded in such a way that it could be applied to individuals operating networks from their own home as equally as it could be applied to the biggest technology companies in the world. The reality is that not only communications operators will be affected – banks and international businesses that handle or transmit data will all be impacted by the law.
Network operators must take steps to prevent cybersecurity breaches and record and report such incidents. They also face new penalties if they mis-use personal information.
However, it is the provisions relating to the storage and transfer of data by 'critical information infrastructure operators' that have provoked much of the concern from business groups. It has not been clarified what precisely would be classed as 'critical information infrastructure'.
Under the rules, critical information infrastructure operators must store personal information and "other important data" that they gather or produce during their operations in China, in mainland China. What constitutes 'important data' is unclear.
If the business wants to transfer the data elsewhere in the world they must be able to show that it is "truly necessary" for "business requirements" and "conduct a security assessment" in relation to their prospective data transfers arrangements in accordance with measures set by the Chinese authorities. Much of the new law appears to be in line with China’s desire to establish its own cyber sovereignty, with strict control over what data moves in and out of its borders.
In the absence of clarification by the Chinese government, international companies are taking steps to ensure that Chinese data stays in China. The business impact of this should not be underestimated.
What is the nature of businesses' concerns?
There is a real concern about the local data storage requirement among foreign businesses. Not only do they face additional costs in setting up their own Chinese data centres or partnering with local providers, they are concerned about the risk of Chinese authorities accessing that data.
Under the new laws, Chinese authorities have the power to conduct "spot testing" of critical information infrastructure security risks. The powers allow the authorities, "when necessary", to "retain a network security service establishment to conduct testing and assessment of network security risks".
Some large technology companies operating in China are already used to state authorities seizing data and documents from their premises under China's competition law regime. Now, wider ranging powers to access sensitive commercial information could be utilised by the Chinese state under the guise of a security risk assessment.
Potential penalties for breaches of the rules on local data storage and data transfers include, at the serious end of the spectrum, the closure of websites, revocation of operations permits and the cancellation of business licences.
The fear, therefore, is that the powers could be used to enforce cyber sovereignty in China and push out foreign businesses that use or need an online presence with limited accountability as to how such powers are used.
The restrictions on data storage and transfers means that it is vital that foreign technology businesses operating critical information infrastructure in China are able to identify which of the data they hold stems from their operations in China. They must delineate all the information and make sure it is kept separate from other data that they hold.
For some businesses, that process will entail an entire remodelling or modification to their network infrastructure.
An information audit can help businesses understand what type of data they hold, what the origins of that information is, and where it is currently processed. It is a worthwhile exercise for foreign technology businesses in China to undertake.
After that, the next step is to look to the business community in China, Hong Kong, and internationally for guidance on best practices to deal with and comply with the new law. Whilst China may be one of the first major jurisdictions to introduce such strict rules in relation to the handling and transmission of data, it is unlikely to be the last.
Paul Haswell is a Hong Kong-based technology law expert at Pinsent Masons, the law firm behind Out-Law.com. Experts at Pinsent Masons will be hosting an event in Hong Kong on Wednesday 27 September 2017 where they will be providing an update on the China Cyber Security Law. You can register for the event here.